b'      NATIONAL CREDIT UNION ADMINISTRATION\n          OFFICE OF INSPECTOR GENERAL\n\n\n                      Evaluation of Project Risks\n                     Associated with Upgrade to\n                   Comprehensive Human Resources\n                      Integrated System (CHRIS)\n\n\n                       OIG-02-03      March 7, 2002\n\n\n\n\n                                Frank Thomas\n                              Inspector General\n\n      Released by:                                Auditor in Charge:\n  William A. DeSarno                               Tammy F. Rapp\nDeputy Inspector General                          Senior IT Auditor\n\x0cEvaluation of Project Risks Associated with Upgrade to Comprehensive Human\nResources Integrated System (CHRIS)\n\n\nTable of Contents\n\n\n\nExecutive Summary ..........................................................................................................              i\n\nBackground ................................................................................................................................1\n\nScope, Objectives and Methodology ................................................................................................\n                                                                                                                            1\n\nFindings and Recommendations ................................................................................................5\n\n     1. A structured system development life cycle (SDLC) and acquisition process or                                                      6\n        policy should be developed and enforced ................................................................\n\n     2. Active OCIO involvement is needed for SDLC projects .......................................................\n                                                                                                            7\n\n     3. Formal requirements definition was not performed and detailed statement of                                          8\n        work from GSA was insufficient.............................................................................................\n\n     4. Periodic Reevaluation of the CHRIS business case is needed ................................                                      10\n\n     5. A structured SDLC project team should be implemented.....................................................\n                                                                                                         12\n\n     6. Detailed system security requirements and access control need to be defined ..................\n                                                                                              13\n\n     7. User acceptance testing needs to be defined ................................................................13\n\n     8. Data integrity controls need to be defined................................................................                       15\n\x0cEVALUATION OF PROJECT RISKS ASSOCIATED WITH CHRIS\n\n\n\n\n                             EXECUTIVE SUMMARY\nWe performed a review of the National Credit Union Administration\xe2\x80\x99s (NCUA) planned\nupgrade to a new comprehensive human resources system. NCUA currently utilizes\nGeneral Services Administration\xe2\x80\x99s (GSA) Personnel Information Resource System\n(PIRS). NCUA entered into an interagency agreement with GSA for the migration from\nPIRS to Comprehensive Human Resources Integrated System (CHRIS) currently\nscheduled to be implemented by the end of February 2002. Other than GSA, NCUA will\nbe the first government agency to implement the customized version of CHRIS.\n\nThe purpose of our review was to determine whether NCUA has mitigated the project\nrisks of a major HR system upgrade by performing appropriate analysis, planning, and\nmonitoring. We contracted with Urbach Kahn & Werlin Advisors\xe2\x80\x99 Inc. to provide\ntechnical assistance. Our review was performed from October 31, 2001 through\nJanuary 15, 2002.\n\nThe focus of this review was intended to provide reasonable assurance regarding the\ndesign and effectiveness of controls over systems and procedures. Our review\nidentified several system migration weaknesses. These weaknesses could lead to\noverall increased project risk, NCUA needs/requirements not being met, the planned\nimplementation timeframe not being met, increased security and system access risks,\nand expanding costs.\n\nThis report offers eight recommendations to help NCUA mitigate identified project risks.\n\n   \xe2\x80\xa2   Ensure a structured process is in place for the development and acquisition of\n       third party systems.\n   \xe2\x80\xa2   Active OCIO involvement regarding the technical aspects of the evaluation\n       process.\n   \xe2\x80\xa2   Statements of Work should include specific description of deliverables, and\n       provision for reasonable acceptance testing.\n   \xe2\x80\xa2   Reevaluate the cost/benefits of CHRIS versus existing COTS packages now\n       available.\n   \xe2\x80\xa2   Implement a SDLC methodology that includes the role of key players who may\n       be involved in the development and implementation processes.\n   \xe2\x80\xa2   Define system security and access control requirements.\n   \xe2\x80\xa2   Define user acceptance testing needs.\n   \xe2\x80\xa2   Retain and review CHRIS system documentation.\n\nThese issues and the associated recommendations are discussed in detail in the\nattached report.\n\n\n                                           -i-\n\x0cEVALUATION OF PROJECT RISKS ASSOCIATED WITH CHRIS\n\n\n\n\n                                    BACKGROUND\n\nNCUA currently utilizes General Services Administration\xe2\x80\x99s (GSA) Personnel Information\nResource System (PIRS), Payroll, Accounting, and Reporting System (PAR), Electronic\nTime and Attendance Management System (ETAMS) and limited functionality within the\nHR module of SAP. NCUA has entered an interagency agreement with GSA for the\nmigration from PIRS to the Comprehensive Human Resources Integrated System\n(CHRIS) in early 2002.\n\nInfrastructure: The modernized CHRIS/PAR software, and the platform upon which\nthe software resides, will be owned and maintained by GSA. There is a single HR and\npayroll data center located in Beltsville, MD. CHRIS has been developed in partnership\nwith current GSA clients and is designed to allow customization of the software to meet\nindividual agency needs.\n\nHardware: Both the payroll and the HR application reside on IBM RS/6000 servers,\nlocated at the Lockheed Martin Data Center in Beltsville, MD.\n\nSoftware: The CHRIS/PAR system was being developed and deployed as a client-\nserver departmental system. However, the client conversion and implementation have\nbeen delayed until early 2002 in order to migrate to the web based version 11i of Oracle\nHR. The effect of which is to eliminate the client end of the product and implement a\npurely web-based application where the only requirements for NCUA use is a current\ninternet browser, such as Microsoft\xe2\x80\x99s Internet Explorer or Netscape Navigator. The\npayroll system was designed and developed by GSA, using Oracle software. CHRIS is\nbased on a moderately customized version of the Oracle Federal Human Resources\nsoftware. Other COTS modules may be purchased to provide support for specific\nfunctions in the future.\n\nFunctionality: CHRIS will support all aspects of the personnel life cycle such as:\nrecruiting, classification, staffing, compensation, benefits, training, EEO reporting, and\npersonnel processing and management. The HR and payroll systems (CHRIS/PAR)\nwill be fully integrated.\n\n\n                SCOPE, OBJECTIVES, AND METHODOLOGY\n\nThe scope of this review consisted of evaluating whether NCUA has mitigated the\nproject risks of a major HR system upgrade by performing appropriate analysis,\nplanning and monitoring.\n\nIn performing this review, the following areas were addressed:\n\n\n                                            - 1-\n\x0cEVALUATION OF PROJECT RISKS ASSOCIATED WITH CHRIS\n\n\n\n\n   \xc3\xbc Review the current status of CHRIS implementation at NCUA\n   \xc3\xbc Identify any federal and NCUA HR system requirements and whether those\n     requirements are fulfilled by CHRIS\n   \xc3\xbc Review the justification for the HR system conversion\n   \xc3\xbc Identify the system life cycle costs, benefits anticipated, and risks\n   \xc3\xbc Determine if agency identified all costs and tasks associated with the upgrade\n   \xc3\xbc Determine contractual obligations with GSA for CHRIS\n   \xc3\xbc Evaluate project team makeup\n   \xc3\xbc Evaluate alternative options and decision process\n   \xc3\xbc Identify any project milestones and plans for significant variances encountered\n   \xc3\xbc Identify schedule and cost overruns and evaluate explanation of any overruns\n   \xc3\xbc Review system test procedures performed and/or planned\n   \xc3\xbc Review user training performed and/or planned\n   \xc3\xbc Evaluate implementation and conversion plans\n   \xc3\xbc Identify any security issues\n   \xc3\xbc Review of system interfaces\n   \xc3\xbc Evaluate the potential integration of CHRIS with SAP and other NCUA systems\n\nWe believe it is prudent to identify such risks for the record, under the premise that\nsuccessful risk management ultimately depends on active, senior management\ncommitment to:\n\na) the need to mitigate risks where possible, as early in the project\xe2\x80\x99s life cycle as\n   possible; and\nb) the need to accept and be accountable for clearly-defined risks that are not\n   mitigated\n\nSAP had been implemented as the back office application to process financials. In\naddition to the financial module, the OCIO produced the ability within SAP to create SF-\n50 and SF-52 forms as directed by the OHR. However, the use of these forms was\nnever implemented within the NCUA OHR. In September 1997, the HR SAP\nimplementation was put on hold due to an OHR focus shift to an Office of Personnel\nManagement issue.\n\nIn May 1998, when the current Director of HR at NCUA was appointed, the need for a\nnew personnel action processing system was revisited. The HR Director was not\nsatisfied with the limited HR functions already implemented in SAP and requested an\nimplementation that would institute all of the federal HR edits and checks, similar to\nthose provided in the current system (PIRS). As of July 1, 1998 SAP had not made a\ndecision regarding their commitment to federalized HR requirements within their\ncommercial-off-the-shelf (COTS) package.\n\n\n\n                                            - 2-\n\x0cEVALUATION OF PROJECT RISKS ASSOCIATED WITH CHRIS\n\n\n\n\nThe OHR researched several options and chose the General Services Administration\xe2\x80\x99s\n(GSA) CHRIS system. CHRIS was selected because GSA would design CHRIS to\ninterface with NCUA\xe2\x80\x99s current payroll system (PAR) thus eliminating the need to convert\nto a new payroll system. It is our understanding that conversion of the payroll system\nwas a non-negotiable requirement of each of the other optional inter-agency vendors of\nPersonnel Action Processing Systems. Since GSA was to design the system for it\xe2\x80\x99s\nown employees and would be the largest CHRIS client, NCUA believed GSA had a\nvested interest in delivering the system and, therefore, did not proceed with a formal\nrequirements analysis.\n\nThe purpose of this memorandum is to present a statement of risks that we have\nidentified during our review to date that, in our view, have not been mitigated by control\ntechniques employed by the OHR team during their evaluation. We understand that our\nassessment may not address controls exercised informally, for example within the\ncontext of team meetings or discussions we did not attend. However, formal life-cycle\ncontrols are typically incorporated into key project management documents, and those\nwe have had the opportunity to review do not appear to mitigate the accumulated risks\nwe have enumerated below. Therefore, we must presume that these risks remain\ninherent in the project plan moving forward.\n\nWe conducted a review of NCUA\xe2\x80\x99s compliance with System\xe2\x80\x99s Development Lifecycle\nprocesses related to the CHRIS implementation. We do not provide assurance of the\nadequacy of the service provider\xe2\x80\x99s system. All work was performed in accordance with\nGovernment Auditing Standards, issued by the Comptroller General of the United\nStates. Our fieldwork was conducted at NCUA\xe2\x80\x99s Alexandria, Virginia Central Office from\nNovember 8, 2001 through December 14, 2001.\n\nPlanning Phase:\n\nOur audit approach was designed to provide efficient, effective and timely procedures.\nThe procedures performed during the planning phase were to ensure the audit work\nperformed is sufficient to support our report. General procedures that we performed\nduring the planning phase included:\n\n\xe2\x80\xa2   Obtained background information on the CHRIS implementation;\n\xe2\x80\xa2   Obtained an understanding of NCUA\xe2\x80\x99s SDLC methodology, control environment, as\n    well as the controls inherent in CHRIS;\n\xe2\x80\xa2   Determined our general information needs; and\n\xe2\x80\xa2   Determined staffing needs and timing of fieldwork procedures.\n\nThe planning phase of the audit began with a detailed review of the service provider\xe2\x80\x99s\ncontract with NCUA and other relevant available documents. During this initial review,\n\n\n                                           - 3-\n\x0cEVALUATION OF PROJECT RISKS ASSOCIATED WITH CHRIS\n\n\n\nwe documented our understanding of key contract provisions and determination of the\neffectiveness of the service provider\xe2\x80\x99s implementation of the contract.\n\nWork program: The detailed work program documented our specific approach to the\nvarious review areas and included:\n\n\xe2\x80\xa2   The planned degree of reviewing of system development lifecycle;\n\xe2\x80\xa2   The planned extent of review procedures; and\n\xe2\x80\xa2   Other major planning decisions for areas which are of significance.\n\nDetermining specific review objectives and potential errors that could occur was the\nbasis for the conduct of the audit. We planned our review procedures to achieve these\nobjectives and to ensure we neither omitted any review procedures nor performed\nunnecessary ones. This work program became the basis for the design of our detailed\nreview procedures. As procedures were performed and results obtained, the work\nprogram provided a framework for determining review judgments.\n\nService Provider Implementation: We performed interviews with critical OHR\npersonnel to determine GSA\xe2\x80\x99s implementation of the CHRIS system. The procedures\nalso included reviewing available documentation to determine:\n\n\xe2\x80\xa2   The availability of the CHRIS system developed to users of all required features and\n    services;\n\xe2\x80\xa2   The availability of the system security policies and procedures developed by GSA;\n    and\n\xe2\x80\xa2   The system lifecycle costs and benefits analysis.\n\nQuality assurance: Establishing and maintaining effective security controls is an\nimportant responsibility of the management of the service provider. Effective quality\ncontrols are essential to achieving the proper conduct of the service provider under the\nNCUA contract with full accountability for its resources. Quality controls consist of those\npolicies and procedures that GSA established to provide reasonable assurance that\nspecific contract objectives are achieved.\n\nWe performed procedures to determine the availability of GSA\xe2\x80\x99s quality assurance\nprogram, including the system test plan and basic security policies to maintain quality\nassurance of the CHRIS system. The procedures we performed related to the quality\nassurance of GSA included interviewing critical NCUA OHR personnel and NCUA\nsystem security personnel to determine the availability of documented test plan and\nsecurity policies.\n\n\n\n\n                                            - 4-\n\x0cEVALUATION OF PROJECT RISKS ASSOCIATED WITH CHRIS\n\n\n\n\nFINDINGS AND RECOMMENDATIONS\n\nWe believe that NCUA would have benefited from a better-structured and better-\ncontrolled needs definition and product assessment process from the beginning. While\nwe agree with OHR\xe2\x80\x99s assertion that conversion of the existing payroll system was\nunnecessary, we do not share the confidence of the OHR team that the selection\nprocess has led to a clearly superior decision and system for NCUA. In addition, we do\nnot believe it is in NCUA\xe2\x80\x99s best interest to defer development and implementation of a\nsecurity plan and risk assessment to the \xe2\x80\x9cpost implementation\xe2\x80\x9d phase. Although NCUA\ncan reasonably expect competent assistance from its service provider, we expect the\ncosts of such reliance will continue to rise over time. Such costs could possibly rise to a\npoint that narrows the cost|benefit gap between CHRIS and other comparable products\nregardless of payroll conversion requirements of the comparable systems. We\nanticipate that the implementation effort itself is likely to reveal where weaknesses in the\nacquisition model could have been more effectively addressed during the project\xe2\x80\x99s initial\ndevelopment. We have summarized the key risks as follows:\n\n       A. Management may be accepting an unreasonable level of overall project risk,\n          due to the accumulation of potential weaknesses that have not been\n          mitigated through strong project development controls;\n       B. NCUA user needs may not be specified in sufficient detail to ensure project\n          success, due to over-reliance on GSA\xe2\x80\x99s ability to produce a system that will\n          meet NCUA\xe2\x80\x99s requirements without a formal, independent needs analysis;\n       C. Lack of top-down management focus on enterprise architecture may\n          increase project risk, perhaps due in part to insufficient OCIO and/or ITOC\n          involvement, as well as resource constraints needed to focus on CHRIS\n          initiatives;\n       D. Significant risk of project delivery due to repeated delays and variances in\n          project milestones potentially leaving NCUA without the current Personnel\n          Information Resource System (PIRs);\n       E. Significant security and access control risk due to lack of initial requirements\n          analysis and documentation;\n       F. Significant risk of expanding costs, due to a possible 100 percent increase in\n          processing fees by 2004.\n\n\n\n\n                                            - 5-\n\x0cEVALUATION OF PROJECT RISKS ASSOCIATED WITH CHRIS\n\n\n\n\nThis section summarizes the risks accumulated during the PIRS system replacement\nprocess.\n\n\n1. A structured system development life cycle (SDLC) and acquisition process or\n   policy should be developed and enforced.\n\nRisk\n\nIn our view, there may be continuing residual risks to project success due to missing or\ndeferred components of a well-structured SDLC-based system acquisition. The SDLC\nmethodology should require that the solution\xe2\x80\x99s functional and operational requirements\nbe specified. Regardless of whether a system is developed internally or obtained from\na third party provider, a minimum level of controls are recommended to ensure that\nrequirements are met, sufficient testing is performed, and appropriate security and\ncontrols are in place. In fact, NCUA recognized the importance of due diligence with\nthird party providers and recommended in its Letter 01-CU-20 to All Federally Insured\nCredit Unions that credit unions perform a due diligence review when entering into\nagreements with third party service providers.\n\nRecommendation 1\n\nWe recommended that NCUA ensure a structured process for the development and\nacquisition of third party systems. OHR did not, and was not required to, execute such\na process. We further understand that a strict adherence to an SDLC methodology may\nnot always be appropriate for all third-party SDLC projects. To allow for a more flexible\nSDLC approach, we recommend that the ITOC and OCIO agree and document the risk\nthreshold limits that would require a strict adherence and approval of an SDLC project\nat NCUA. These risk threshold limits would define the amount of structure that is\nrequired for each SDLC project depending on the risk level per SDLC project (e.g., the\ngreater the risk, the greater amount of SDLC structure that would be required by NCUA\nmanagement). Approval of the risk threshold limits should be based on three primary\nfactors: (1) the cost of the project, (2) the impact to on-going business operations and\n(3) systems security requirements.\n\nManagement Comments\n\nManagement officials did not believe the application of a SDLC in this specific\nprocurement action was appropriate because NCUA did not develop a system.\nRegarding systems development, when OCIO converted the agency from a mainframe\nprocessing environment to a client/server architecture, it decided to look for an existing\nSDLC methodology to use in software development efforts. The agency decided for an\n\n\n\n                                            - 6-\n\x0cEVALUATION OF PROJECT RISKS ASSOCIATED WITH CHRIS\n\n\n\norganization of NCUA\xe2\x80\x99s size, which does far more maintenance and incremental\ndevelopment, the best approach was to distill the key aspects of the Capability Maturity\nModel into the agency\xe2\x80\x99s local policies and procedures.\n\nOIG Response\n\nAs previously stated in our report, we agree that a formal full Systems Development\nLifecycle (SDLC) methodology may not be appropriate for every SDLC project.\nHowever, when committing to SDLC projects, NCUA management should quantify the\nrisk to NCUA and assign an amount of SDLC structure that is required based on the\nlevel of risk. These risk threshold limits would define the amount of structure that is\nrequired for each SDLC project depending on the risk level per SDLC project (e.g., the\ngreater the risk, the greater amount of SDLC structure that would be required by NCUA\nmanagement). Approval of the risk threshold limits should be based on three primary\nfactors: (1) the cost of the project, (2) the impact to on-going business operations and\n(3) systems security requirements.\n\nWe note that CHRIS was developed specifically for NCUA, which required modifications\nto the database tables and had data conversion needs. In addition, GSA is the first and\nonly agency to implement CHRIS in the Federal government and NCUA would be first\nto implement the customized version of CHRIS. The due diligence that should ha ve\nbeen performed is not unlike what NCUA requires from their member credit unions.\n\nFurthermore, NCUA management should not wholly rely on the word of third-party\nvendors, whether these Federal agencies are small or large organizations within the\nFederal government. It is incumbent upon NCUA management to exercise their own\ndue diligence in order to gain an appropriate level of assurance and minimize the overall\nrisk to NCUA. To use an analogy, we all want the plane to land safely, but we also want\nto ensure that all reasonable safety precautions have been built into the process before\ntakeoff. By taking the course of action of simply trusting GSA at their word, NCUA has\ntaken on a much greater risk than necessary in order to implement CHRIS.\n\n\n2. Active OCIO involvement is needed for SDLC projects.\n\nRisk\n\nWe noted that OHR engaged various OCIO members in discussions regarding the SAP\ninterface to CHRIS. However, technical and project risk may remain for NCUA due to\nOCIO\xe2\x80\x99s limited overall role in defining and managing CHRIS project initiatives.\n\n\n\n\n                                           - 7-\n\x0cEVALUATION OF PROJECT RISKS ASSOCIATED WITH CHRIS\n\n\n\n\nRecommendation 2\n\nOHR planners and personnel need to work closely with the ITOC and OCIO in order to\nretain guidance and analysis regarding the technical aspects of the evaluation process.\nIn addition, OCIO personnel have the technical background to ensure adherence to\nNCUA IT security, access control and testing policies and procedures. We are not\naware that the OCIO has been involved to this extent in the acquisition and testing of\nthis mission critical system. In the future, OCIO should be actively involved and\nengaged at each phase of the SDLC process which includes: Concept, Requirements\nDefinition, Detailed Design and Security Design, Development, Testing, Quality\nAssurance and Change Controls, and Implementation.\n\nManagement Comments\n\nManagement officials concurred with this recommendation.\n\nOIG Response\n\nOCIO was not actively engaged during the entire life of the CHRIS project. Although\nOHR retained an individual that previously worked for the OCIO, it is still important that\nOHR actively communicate the status of the project to OCIO on a regular basis. There\nare interdependencies within NCUA\xe2\x80\x99s systems architecture that could adversely affect\nsystems operability or security without the acti ve involvement of OCIO.\n\n\n3. Formal Requirements Definition was not performed and detailed Statement of\n   Work from GSA was Insufficient.\n\nRisk\n\nThere may be continuing project technical and cost risk due to possible gaps in needed\nfunctionality that were either: (a) not disclosed, or (b) not completely worked through or\nreviewed at a detailed level. We believe that a risk to project success continues due to\nthe failure of NCUA to establish a fully qualified universe of requirements and user\nneeds. We are not aware that a unique NCUA needs definition was established as a\nbasis for assessing whether NCUA requirements were met. Or, that such requirements\nare being used to determine whether GSA has delivered a core system that is, in fact,\nfederally compliant with personnel action requirements. There also remains a risk that\nneeds beyond the core personnel action requirements have not been defined or even\nrecognized. The result of such a process is a system that may not meet the business\nneeds, requirements and expectations of NCUA users. A Statement of Work should be\ndetailed and include the specific description of deliverables, and provision for a\n\n\n                                            - 8-\n\x0cEVALUATION OF PROJECT RISKS ASSOCIATED WITH CHRIS\n\n\n\nreasonable acceptance testing and may have mitigated these risks to NCUA\xe2\x80\x99s\nsuccessful implementation of CHRIS.\n\nNCUA relied on OPM\xe2\x80\x99s \xe2\x80\x9cThe Guide to Processing Personnel Actions (Guide)\xe2\x80\x9d as the\nrequirement\xe2\x80\x99s for the CHRIS project and has trusted in GSA to develop the system as\nneeded. OPM\xe2\x80\x99s guide states in Chapter One, page 1-13,\n\n\xe2\x80\x9cFollow carefully the instructions found in the chapter(s) appropriate for the action.\nThe instructions cover only the Office of Personnel Management\xe2\x80\x99s requirements and\nmay not include everything that your agency requires. Therefore, if your agency has its\nown processing instructions, you must follow them, as well. Because each personnel\noffice may operate under different procedures, this Guide does not tell you who is\nresponsible for each processing step.\xe2\x80\x9d\n\nWe are concerned that this scenario has effectively been substituted for the level of\nstructured needs definition that typically must be addressed specifically by candidate\nvendors, both to satisfy evaluation criteria and to be incorporated into contract language\nas leverage against future product acceptance. We do not believe that these goals\nwere satisfied during the OHR\xe2\x80\x99s evaluation efforts although their approach likely did\nhave the effect of \xe2\x80\x9caccelerating\xe2\x80\x9d the evaluation process.\n\nThere may be continuing project technical and cost risk due to possible gaps in needed\nfunctionality that were either:\n\n      a. not disclosed at all, or\n      b. were not fully worked through at a detailed level.\n\n\nWe noted in NCUA\xe2\x80\x99s Board Action Memorandum dated July 28, 1998 that there was a\nhigh-level summary of the Federal Human Resources Information Systems Core\nFunctional Requirements. This document compares other Federal HR solutions with\nthat of SAP. However, during our review OHR was unable to provide a documented\naccount of NCUA\xe2\x80\x99s specific and unique systems requirements for CHRIS. This should\nhave been provided to GSA during the Requirement Phase of the project. There\nremains a risk that NCUA\xe2\x80\x99s unique needs beyond the Core have not been defined or\neven recognized. The end result of such a process is a system that may not meet the\nuser\xe2\x80\x99s business needs, user requirements and expectations.\n\nIn addition, we reviewed a document entitled Oracle Government Human Resources\nSystems Requirements dated February 28, 1997. This eight-page document outlines\nseveral business processes that GSA proposed to be delivered. However, during the\ncourse of our review, we noted that OHR had not received any documentation from\nGSA to ensure that these business process requirements were actually designed and\n\n\n\n                                           - 9-\n\x0cEVALUATION OF PROJECT RISKS ASSOCIATED WITH CHRIS\n\n\n\navailable to NCUA. OHR should have documentation supporting that these business\nprocesses requirements are actually functionally available from GSA prior to the\nimplementation of CHRIS.\n\nRecommendation 3\n\nThe Statement of Work should include the specific description of deliverables, and\nprovision for reasonable acceptance testing.\n\nManagement Comments\n\nManagement officials do not concur. They believe the statement of work was adequate-\nCHRIS is a replacement HR system for PIRS, both of which were developed,\nimplemented, and operated by GSA for federal clients.\n\nOIG Response\n\nWe do agree that CHRIS may be functional for GSA and incorporate federal personnel\nprocessing requirements. However, NCUA management took GSA entirely on their\nword about the ability of CHRIS to perform as required by NCUA and did not request or\nreceive any documented assurance from GSA that the final developed version of\nCHRIS was actually designed and functioning with all federal personnel processing\nrequirements as well as NCUA\xe2\x80\x99s specific requirements. Therefore, NCUA management\ntook on an ever increasing risk for NCUA by not performing an adequate level of due\ndiligence in respect to SDLC processes.\n\n\n4. Periodic reevaluation of the CHRIS business case is needed\n\nRisk\n\nCHRIS was originally scheduled to be operational for NCUA in 1997 with enhanced\nservice offerings available to the Administration in early 1998. By July 28, 1998 when\nthe BAM was presented to the NCUA board, the scheduled NCUA system conversion\nwas already delayed to June of 1999. In July of 2000 the GAO issued its \xe2\x80\x9cReport to the\nChairman, Committee on Government Reform, House of Representatives Information\nTechnology Selected Agencies\xe2\x80\x99 Use of Commercial Off-the-Shelf Software for Human\nResources Functions\xe2\x80\x9d. In this report GAO stated that, according to GSA, the\ndeployment delay was caused by: (1) a lack of maturity in the Oracle product relative to\nthe HR needs of federal agencies, (2) a lack of skilled resources, and (3) GSA\xe2\x80\x99s\ndecision to implement the system with internal staff. In October of 2000, GSA\ncommunicated to NCUA that a change in senior management (top CHRIS manager)\ntook place. New management wanted to slow deployment and implementation in order\n\n\n                                          -10-\n\x0cEVALUATION OF PROJECT RISKS ASSOCIATED WITH CHRIS\n\n\n\nto determine how client implementation was to be conducted. Therefore, all client\nimplementations, including NCUA\xe2\x80\x99s, were postponed into calendar year 2001. In\nDecember of 2000, GSA again communicated to NCUA that they had not yet received\napproval of the fiscal year 2001 budget for the CHRIS project. Thus GSA would be\nworking with substantially less funding than anticipated which reduced the number of\nconsultants working with GSA on the project. GSA again postponed implementation in\nthis communication, but committed to bringing on external customers in Spring 2001. In\nMay of 2001, GSA, again, discussed plans with NCUA to postpone implementation until\nthe spring of 2002 in order to migrate to version 11i of the Oracle relational database\nmanagement system. NCUA\xe2\x80\x99s go-live date is now scheduled for February 27, 2002.\n\nWe believe there remains a risk that the CHRIS system will not be fully implemented in\nthe timeframe communicated by GSA, leaving NCUA at risk of not having a supported\nhuman resources information system. In addition, NCUA is uncertain of processing\nfees beyond the first two years, making it difficult to forecast future costs. According to\nOHR, the annual processing cost could rise from $60,000 to $120,000. It should also\nbe noted that this cost estimate from GSA was verbal and there is no written agreement\nregarding future costs. Another point of consideration is that GSA may have only three\nclients utilizing the CHRIS system. Given this interagency client base, at some future\ndate it may not be financially feasible for GSA to continue CHRIS service and support\nwithout considerable increase in annual fees of CHRIS users.\n\nRecommendation 4\n\nThough NCUA continually followed up with GSA regarding project delays, we could not\nverify that NCUA has reevaluated the business case regarding the GSA/CHRIS\ndecision. NCUA should reevaluate the business case of implementing CHRIS on a\nperiodic basis (e.g., annually) after implementation. This process will assist in\nidentifying whether this system solution is still appropriate for the ongoing business\nstrategy of NCUA. A systems business case review should focus on the detailed\neconomics of the implementation and identify the estimated costs and benefits for\nNCUA over the life of the investment, as well as other business options that are\navailable to NCUA. In addition, it may be beneficial for NCUA to determine if additional\nCOTS packages are available that meet federal HR requirements and evaluate the\nbenefits of implementing such a system considering both productivity gains and future\ncost savings.\n\nManagement Comments\n\nManagement officials concurred with this recommendation.\n\n\n\n\n                                            -11-\n\x0cEVALUATION OF PROJECT RISKS ASSOCIATED WITH CHRIS\n\n\n\n\n5. A structured SDLC project team should be implemented.\n\nRisk\n\nThere may be additional risk to the overall success of the project due to a lack of a\nstructured SDLC project team. For example, OHR has not interfaced with the CIO,\nNCUA\xe2\x80\x99s Security Officer, or GSA\xe2\x80\x99s Security Manager. Another concern brought to our\nattention is the lack of resource allocation in both the OHR and OCIO necessary to\ncomply with sound best-practices SDLC procedures.\n\nRecommendation 5\n\nWe recommend a SDLC methodology that includes the role of key players who may be\ninvolved in the development and implementation processes. Once senior management\ncommits to the project, approval for the necessary resources is essential to ensure the\ninvolvement of key individuals or groups that adhere to a formal SDLC methodology.\nUser management is responsible for systems requirements, acceptance testing and\nuser training. The Project Manager ensures involvement from all affected departments,\nensures the project adheres to standards set forth in the Statement of Work, while\nmonitoring and controlling deliverables, costs and project timelines. The Security\nOfficer provides guidance pertaining to suitable security processes that should be\nachieved and a Quality Assurance Manager confirms adherence to the requirements set\nforth in the formal requirements analysis and stipulated in the Statement of Work.\n\nManagement Comments\n\nManagement officials do not believe a strict SDLC model is appropriate for an\norganization of NCUA\xe2\x80\x99s size that does far more maintenance and incremental\ndevelopment. However, they do concur that active OCIO involvement is needed for\nsystems development projects.\n\nOIG Response\n\nRegardless of how much structure is required for an SDLC project, it is essential that\nNCUA management ensure that basic internal control objectives are achieved in\nrespect to project management. Some of these controls include and are not limited to;\nproject management, systems security, and independent quality assurance\nmanagement.\n\n\n\n\n                                          -12-\n\x0cEVALUATION OF PROJECT RISKS ASSOCIATED WITH CHRIS\n\n\n\n\n6. Detailed system security requirements and access control need to be defined.\n\nRisk\n\nGSA has not shared the security documentation pertaining to CHRIS with NCUA,\nhowever, GSA communicated that Oracle Business Groups will support the system\nsecurity. When a NCUA user is assigned access to the system, the system security\ndefines that individual works for NCUA, therefore he/she will only be able to see\nNCUA\xe2\x80\x99s data.\nIn order to maintain local control initially, the only persons with access to CHRIS will be\nthe individuals at the Alexandria location who currently have access to PIRs. The\nDirector of OHR will remain the only individual within NCUA with authority to approve\npersonnel actions. Eventually NCUA plans to grant access to regional managers for\ngenerating requests for personnel actions and ad hoc reporting however the control\ndetails have not been thoroughly defined. GSA has not communicated to NCUA details\npertaining to web based security however, NCUA believes in good faith that GSA will\nmanage the security issues inherent in the web based version 11i of Oracle HR\nappropriately. We believe there is additional risk in NCUA\xe2\x80\x99s lack of understanding\nregarding the security features of the web-based application.\n\nRecommendation 6\n\nIn addition to implementing technical and operational controls, testing needs to be\nplanned and conducted to assure the security features effectively function by\nsegregating users and protecting NCUA personnel action data.\n\nManagement Comments\n\nManagement officials concurred with this recommendation.\n\n\n7. User acceptance testing needs to be defined.\n\nRisk\n\nAs of our report date, NCUA has not received test plans from GSA however, NCUA has\ndeveloped their own parallel testing plans. NCUA plans to manually check every\naccount and test the most likely nature of action codes. Test parameters defined to the\nUKW SACteam include:\n\n   \xe2\x80\xa2   Personnel transactions (A minimum of twenty records for each NOA will be\n       tested) Specific NOAs and transactions to be tested included but are not limited\n       to:\n\n\n                                            -13-\n\x0cEVALUATION OF PROJECT RISKS ASSOCIATED WITH CHRIS\n\n\n\n       \xe2\x80\xa2   Appointments\n       \xe2\x80\xa2   Position builds and fast copies\n       \xe2\x80\xa2   Reassignments\n       \xe2\x80\xa2   Promotions\n       \xe2\x80\xa2   Change to Lower Grade\n       \xe2\x80\xa2   Details\n       \xe2\x80\xa2   Pay (Agency unique)\n       \xe2\x80\xa2   Separations\n       \xe2\x80\xa2   Corrections\n       \xe2\x80\xa2   Cancellations\n       \xe2\x80\xa2   Awards\n       \xe2\x80\xa2   Relocation Bonus\n   \xe2\x80\xa2   Output Products\n       \xe2\x80\xa2 End of day processing (Validation reports, error reports etc.)\n   \xe2\x80\xa2   Reports\n       \xe2\x80\xa2 EEO Extract\n       \xe2\x80\xa2 DESIREs\n       \xe2\x80\xa2 113A & 113G\n   \xe2\x80\xa2   Tables\n       \xe2\x80\xa2 Local table updates\n       \xe2\x80\xa2 Central table lookups and edits\n   \xe2\x80\xa2   Interfaces\n       \xe2\x80\xa2 Payroll and Accounting Report (PAR) System\n       \xe2\x80\xa2 SAP\n       \xe2\x80\xa2 CPDF\n\nUpon completion of the initial test cycle and certification of system specification by the\nOHR Automation Specialist, the OHR CHRIS Team will begin parallel operations for\none-pay period. During parallel testing, sample personnel transactions will be processed\nand various output products will be reviewed for accuracy. Actions will be checked first\nto see if they meet the specifications requested and second to determine if the changes\nadversely impact other parts of the system. CHRIS results and reporting will be\ncompared and reconciled to PIRS\xe2\x80\x99 corresponding data. Problems uncovered through\ntesting will be documented and submitted to GSA CHRIS staff for resolution. Problems\nwill be re-tested by NCUA OHR staff to complete the certification of CHRIS.\n\nAlthough NCUA has scheduled parallel testing, there may be risk to the overall project\nsuccess considering acceptance testing was not detailed in the Statement of Work and\npass/fail criteria were not defined. NCUA assumes there will be signed user\nacceptance documents however this was not formally documented in the agreement\nwith GSA. In addition, significant transactions not occurring during the pay period when\nparallel testing is performed may not be tested providing no assurance that these\ntransactions will function properly for NCUA.\n\n\n                                           -14-\n\x0cEVALUATION OF PROJECT RISKS ASSOCIATED WITH CHRIS\n\n\n\n\nRecommendation 7\n\nWe recommend that NCUA detail user testing with GSA to include pass/fail criteria prior\nto beginning their own parallel test. NCUA should recognize that running a parallel test\nfor one-pay period is an insufficient amount of testing because it may not represent\nsignificant transactions occurring in other pay periods. A minimum amount of due\ndiligence would include reviewing GSA\xe2\x80\x99s test results. NCUA should review the following\ntest results of the CHRIS system provided by GSA:\n\n   \xe2\x80\xa2   Unit Testing\n   \xe2\x80\xa2   System Testing\n   \xe2\x80\xa2   Recovery Testing\n   \xe2\x80\xa2   Security Testing\n   \xe2\x80\xa2   Stress/Volume Testing\n   \xe2\x80\xa2   Performance Testing\n   \xe2\x80\xa2   Function/Validation Testing\n   \xe2\x80\xa2   Regression Testing\n\nManagement Comments\n\nManagement does not concur. They believe that since CHRIS has been operational\nand in live production at GSA for over a year, the recommendation that NCUA request\nand review GSA\xe2\x80\x99s test plans, as detailed, is unnecessary.\n\nOIG Response\n\nWe feel that it is necessary to re-state the need for NCUA management to conduct an\nadequate level of diligence in respect to overall systems testing. In addition, it is\nincumbent upon NCUA management to gain an appropriate level of assurance in order\nto minimize the business risk to NCUA. As a minimal requirement, NCUA management\nshould have requested test results from GSA and not just relied on GSA\xe2\x80\x99s unverified\nassurances alone. Some of the requirements that should have been covered in a\nstructured test plan include and are not limited to: Unit Testing, System Testing,\nRecovery Testing, Security Testing, Stress/Volume Testing, Performance Testing,\nFunctional/Validation Testing, Regression Testing and User Acceptance Testing.\n\n\n8. Data integrity controls need to be defined.\n\nRisk\n\nNCUA has been scrubbing current data and applying edits appropriate to CHRIS.\nDuring parallel testing, NCUA will manually check data to ensure accuracy of GSA\xe2\x80\x99s\n\n\n                                          -15-\n\x0cEVALUATION OF PROJECT RISKS ASSOCIATED WITH CHRIS\n\n\n\ninitial data load and reconcile personnel action transactions. GSA has informally\ncommunicated to NCUA that Oracle Audit will be implemented to track system changes\nalthough NCUA has no verification of this or plans for testing the audit trails provided.\n\nNCUA does not have assurance from GSA regarding control of transaction and\ntransmittal logs or the identified audit trails. UKW Advisors, Inc. was not able to\ndetermine if these audit logs will be available for NCUA\xe2\x80\x99s review and/or testing. Such\ncontrols may be vital to ensuring the integrity and validity of NCUA personnel action\ndata. Should system changes (either operating system, Oracle database or application\nprogram(s)) occur that affect NCUA personnel action data outside of normal user\ntransactions, NCUA may not have sufficient audit trail to track and reconcile changes.\n\nRecommendation 8\n\nIn order to determine the reliability of computer-processed data, the user should\nunderstand system controls which include both general and application controls.\nDocumentation of a well-controlled system should be complete and current. We\nrecommend that NCUA retain and review CHRIS system documentation. In addition,\nNCUA should request and review documentation from GSA pertaining to error\ncorrection procedures, transaction logs, transmittal logs, and audit trails as well as the\naccessibility of this information to NCUA personnel. OHR has indicated that they will\nhave paper trails for a full reconstruction. However, the manual reconstruction of these\ndocuments is a voluminous task that will create labor inefficiencies and could result in\nhuman error. It is more efficient and practical for NCUA to pre-define automated\ncontrols and review the systems transaction logs.\n\nManagement Comments\n\nManagement does not concur. They believe the core Oracle HR product provides the\nappropriate audit trails and error correction procedures and logs necessary to provide\nthe appropriate level of data integrity.\n\nOIG Response\n\nWe understand that the core Oracle HR product provides audit trails and error\ncorrection procedures. However, NCUA management has not defined a process to\nreview these logs to ensure that internal controls are built into the business process.\nDocumentation of a well-controlled system should be complete and current. In addition,\nNCUA should request and review documentation from GSA pertaining to error\ncorrection procedures, transaction logs, transmittal logs, and audit trails. Furthermore,\nNCUA did not have assurances from GSA regarding control of transaction and\ntransmittal logs or the identified audit trails. Each of these internal control areas should\nbe included in the CHRIS project plan as normal due diligence.\n\n\n                                            -16-\n\x0c'